We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 70 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.

The purpose of the White Paper is twofold: (1) to serve as formal input to the Article 29 Working Party’s work on developing further guidance on the proper implementation of the DPO role under the GDPR, which is expected to be finalized by the end of December; and (2) to provide guidance for companies that must comply with the GDPR’s DPO provisions by May 25, 2018 (i.e., the date the GDPR becomes effective).

The White Paper encourages a flexible and pragmatic implementation of the GDPR’s DPO provisions to ensure that they work for organizations of all sizes and types, from large multinational organizations to SMEs, start-ups, NGOs and public authorities. It identifies challenges posed by specific DPO requirements and proposes sensible interpretations and “best practices” for (1) implementing them and (2) maximizing the potential of the DPO to drive the dual goals of compliance and accountability on the one hand, and the strategic and beneficial use of data on the other.

The specific issues addressed in the White Paper include:

mandatory vs. non-mandatory DPOs;

processor DPOs;

EU-wide harmonization of DPO designation criteria;

sanctions for DPO violations;

personal liability;

DPO expertise, skills and certifications;

the DPO’s location;

internal, external and part-time DPOs;

the strategic and business enabling roles of the DPO and other non-compliance roles;

independence, protected status and reporting to the “highest management level”;

duties of secrecy and confidentiality;

proper and timely DPO involvement in data processing operations;

the DPO’s access to resources;

conflicts of interest; and

cooperation and consultation with DPAs and serving as a contact point for individuals.

Next, CIPL will issue a white paper on the roles of risk, high risk and Data Protection Impact Assessments under the GDPR, followed by a white paper on the roles of GDPR certifications, seals and marks. CIPL will address additional GDPR topics in the course of 2017.

Compare jurisdictions: BYOD: Bring Your Own Device

”Lexology is a useful and informative tool. I keep copies of relevant articles and often forward them to colleagues. Although I do not know all of the authors/firms, by reading their articles I do gain an understanding of their appreciation of a topic, and should the need arise I would not hesitate to contact them on those topics.”